Analysis
-
max time kernel
84s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ExxxxSet_up.exe
Resource
win7-20240903-en
1 signatures
150 seconds
General
-
Target
ExxxxSet_up.exe
-
Size
749.4MB
-
MD5
fe069d8e3711f5c4ac4a0735a02fc303
-
SHA1
3352dcd0c6913f206dde60ea95afaff471895138
-
SHA256
dc5d859a301eec28319936a6b94d3eb439f7b62b890bcf177d25718a3b8418cc
-
SHA512
c0382e00c16c93e1e0c1a2a40937c84568cdb66f31e1735975546a3d1904d7b8ce12cb4d6c33ef07d993962daca6825a9446867305f308d29186729533289708
-
SSDEEP
196608:8lN3eZmCSq9xx0+tH8o7o3X0HXG6uq9+nkl0pIlKeRfMU/nV:sRExxrG3k2TqNvF
Malware Config
Extracted
Family
lumma
C2
https://condedqpwqm.shop/api
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 raw.githubusercontent.com 15 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1900 set thread context of 372 1900 ExxxxSet_up.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExxxxSet_up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1900 ExxxxSet_up.exe Token: SeDebugPrivilege 1092 taskmgr.exe Token: SeSystemProfilePrivilege 1092 taskmgr.exe Token: SeCreateGlobalPrivilege 1092 taskmgr.exe Token: SeBackupPrivilege 2512 svchost.exe Token: SeRestorePrivilege 2512 svchost.exe Token: SeSecurityPrivilege 2512 svchost.exe Token: SeTakeOwnershipPrivilege 2512 svchost.exe Token: 35 2512 svchost.exe Token: SeBackupPrivilege 2512 svchost.exe Token: SeRestorePrivilege 2512 svchost.exe Token: SeSecurityPrivilege 2512 svchost.exe Token: SeTakeOwnershipPrivilege 2512 svchost.exe Token: 35 2512 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91 PID 1900 wrote to memory of 372 1900 ExxxxSet_up.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExxxxSet_up.exe"C:\Users\Admin\AppData\Local\Temp\ExxxxSet_up.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:372
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512